Convert xfce settings management to systemd units

MANIFEST.in

@@ -5,7 +5,6 @@ include dom0/*.yml
 include dom0/*.conf
 include dom0/remove-tags.py
 include dom0/securedrop-handle-upgrade
-include dom0/update-xfce-settings
 include README.md
 include LICENSE
 include VERSION

dom0/sd-clean-all.sls

@@ -48,22 +48,6 @@ include:
   - sd-usb-autoattach-remove
 {% endif %}
 
-# Reset desktop icon size to its original value
-dom0-reset-icon-size-xfce:
-  cmd.script:
-    - name: salt://update-xfce-settings
-    - args: reset-icon-size
-    - runas: {{ gui_user }}
-
-# Reset power management options to their original values
-{% if d.environment == "prod" or d.environment == "staging" %}
-dom0-reset-power-management-xfce:
-  cmd.script:
-    - name: salt://update-xfce-settings
-    - args: reset-power-management
-    - runas: {{ gui_user }}
-{% endif %}
-
 # Removes all salt-provisioned files (if these files are also provisioned via
 # RPM, they should be removed as part of remove-dom0-sdw-config-files-dev)
 remove-dom0-sdw-config-files:
@@ -84,17 +68,6 @@ remove-rpc-policy-tags:
   cmd.script:
     - name: salt://remove-tags
 
-sd-cleanup-etc-changes:
-  file.replace:
-    - names:
-      - /etc/systemd/logind.conf
-    - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
-    - flags:
-      - MULTILINE
-      - DOTALL
-    - repl: ''
-    - backup: no
-
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:
@@ -111,3 +84,19 @@ disable-systemd-units:
       # Even with "runas", "systemctl --user" from root will fail unless we
       # tell it explicitly how to connect to the user systemd.
       - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }}
+
+# Reset desktop icon size to its original value
+dom0-reset-icon-size-xfce:
+  cmd.script:
+    - name: /usr/bin/securedrop/update-xfce-settings
+    - args: reset-icon-size
+    - runas: {{ gui_user }}
+
+# Reset power management options to their original values
+{% if d.environment == "prod" or d.environment == "staging" %}
+dom0-reset-power-management-xfce:
+  cmd.script:
+    - name: /usr/bin/securedrop/update-xfce-settings
+    - args: reset-power-management
+    - runas: {{ gui_user }}
+{% endif %}

dom0/sd-dom0-files.sls

@@ -54,13 +54,6 @@ dom0-install-debian-minimal-template:
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
-# Increase the default icon size for the GUI user for usability/accessibility reasons
-dom0-adjust-desktop-icon-size-xfce:
-  cmd.script:
-    - name: salt://update-xfce-settings
-    - args: adjust-icon-size
-    - runas: {{ gui_user }}
-
 dom0-login-autostart-directory:
   file.directory:
     - name: /home/{{ gui_user }}/.config/autostart
@@ -123,12 +116,3 @@ dom0-write-environment-flag:
     - replace: False
     - require:
       - file: dom0-remove-old-environment-flag
-
-# Hide suspend/hibernate options in menus in prod systems
-{% if d.environment == "prod" or d.environment == "staging" %}
-dom0-disable-unsafe-power-management-xfce:
-  cmd.script:
-    - name: salt://update-xfce-settings
-    - args: disable-unsafe-power-management
-    - runas: {{ gui_user }}
-{% endif %}

files/logind-override-disable.service

@@ -1,11 +1,11 @@
 [Unit]
-Description=Disable power management settings
+Description=Disable logind power management customization (dev systems only)
+ConditionPathExists=/var/lib/securedrop-workstation/dev
+Before=systemd-logind.service
 
 [Service]
 Type=oneshot
-Before=systemd-logind.service
 ExecStart=rm -f /etc/systemd/logind.conf.d/10-logind_override.conf
-ConditionPathExists=/var/lib/securedrop-workstation/dev
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

files/user-xfce-icon-size.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Enlarge XFCE icon size for SDW
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securedrop/update-xfce-settings adjust-icon-size
+
+[Install]
+WantedBy=default.target

files/user-xfce-settings.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Enable XFCE customizations for SDW
+ConditionPathExists=|!/var/lib/securedrop-workstation/dev
+ConditionPathExists=|/var/lib/securedrop-workstation/prod
+ConditionPathExists=|/var/lib/securedrop-workstation/staging
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securedrop/update-xfce-settings disable-unsafe-power-management
+
+[Install]
+WantedBy=default.target

rpm-build/SPECS/securedrop-workstation-dom0-config.spec

@@ -68,14 +68,16 @@ install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation
 install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach
 install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts
 install -m 755 -d %{buildroot}/%{_bindir}
+install -m 755 -d %{buildroot}/opt/securedrop
+install -m 755 -d %{buildroot}/usr/bin/securedrop
 install -m 644 dom0/*.sls %{buildroot}/srv/salt/
 install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
 install -m 644 dom0/*.yml %{buildroot}/srv/salt/
 install -m 644 dom0/*.conf %{buildroot}/srv/salt/
 install -m 755 dom0/remove-tags.py %{buildroot}/srv/salt/remove-tags
 install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
-install -m 755 dom0/update-xfce-settings %{buildroot}/srv/salt/
+install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/
 install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
 install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
 install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/
@@ -94,6 +96,7 @@ install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/
 install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/
 install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/
 install -m 755 -d %{buildroot}/%{_userunitdir}/
+install -m 755 -d %{buildroot}/%{_unitdir}
 install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/
 install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/press.freedom.SecureDropUpdater.desktop
 install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png
@@ -103,6 +106,7 @@ install -m 755 files/sdw-notify.py %{buildroot}/%{_bindir}/sdw-notify
 install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login
 install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/
 install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/
+install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/
 
 install -m 755 -d %{buildroot}/etc/qubes/policy.d/
 install -m 644 files/31-securedrop-workstation.policy %{buildroot}/etc/qubes/policy.d/
@@ -111,11 +115,10 @@ install -m 644 files/32-securedrop-workstation.policy %{buildroot}/etc/qubes/pol
 install -m 755 -d %{buildroot}/usr/share/securedrop/icons
 install -m 644 files/securedrop-128x128.png %{buildroot}/usr/share/securedrop/icons/sd-logo.png
 
-install -m 755 -d %{buildroot}/opt/securedrop
-
 install -m 755 -d %{buildroot}/etc/systemd/logind.conf.d/
 install -m 644 files/10-logind_override.conf %{buildroot}/etc/systemd/logind.conf.d/
-install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/
+install -m 644 files/user-xfce-settings.service %{buildroot}/%{_userunitdir}/
+install -m 644 files/user-xfce-icon-size.service %{buildroot}/%{_userunitdir}/
 
 %files
 %attr(755, root, root) %{_datadir}/%{name}/scripts/clean-salt
@@ -128,7 +131,6 @@ install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/
 /srv/salt/dom0-xfce-desktop-file.j2
 /srv/salt/remove-tags
 /srv/salt/securedrop-*
-/srv/salt/update-xfce-settings
 /srv/salt/fpf*
 /srv/salt/press.freedom.SecureDropUpdater.desktop
 
@@ -145,17 +147,20 @@ install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/
 %{_datadir}/icons/hicolor/scalable/apps/securedrop.svg
 %{_userunitdir}/sdw-notify.service
 %{_userunitdir}/sdw-notify.timer
+%{_userunitdir}/user-xfce-settings.service
+%{_userunitdir}/user-xfce-icon-size.service
 %{_unitdir}/logind-override-disable.service
 
 %attr(664, root, root) /etc/qubes/policy.d/31-securedrop-workstation.policy
 %attr(664, root, root) /etc/qubes/policy.d/32-securedrop-workstation.policy
+
+# Override systemd-logind settings on staging and prod systems
 /etc/systemd/logind.conf.d/10-logind_override.conf
 
 #TODO: this is the same 128x128 icon "securedrop.png" in the datadir
 /usr/share/securedrop/icons/sd-logo.png
 
-#TODO: is this superseded by notifier/updater file locations, above?
-/opt/securedrop
+%attr(755, root, root) /usr/bin/securedrop/update-xfce-settings
 
 %doc README.md
 %license LICENSE
@@ -166,11 +171,29 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \
     | sed -e 's/\.top$$//g' \
     | xargs qubesctl top.enable > /dev/null
 
-
 # Force full run of all Salt states - uncomment in release branch
 # mkdir -p /tmp/sdw-migrations
 # touch /tmp/sdw-migrations/whonix-17-update
 
+# Enables service that conditionally removes our systemd-logind customizations
+# on dev machines only.
+# It's clumsy, but overrides to systemd services can't be conditionally applied.
+# Changes take place after systemd restart.
+systemctl enable logind-override-disable.service
+
+# Customize xfce power settings and icon size. Enabled for all users.
+# Power settings changes conditionally disabled in dev environments.
+systemctl --global enable user-xfce-icon-size.service ||:
+systemctl --global enable user-xfce-settings.service ||:
+
+% preun
+# If we're uninstalling (vs upgrading)
+if [ $1 -eq 0 ]; then
+    systemctl disable --now logind-override-disable.service
+    systemctl --global disable user-xfce-icon-size.service ||:
+    systemctl --global disable user-xfce-settings.service ||:
+fi
+
 %changelog
 * Wed Feb 7 2024 SecureDrop Team <[email protected]> - 0.10.0
 - Use Whonix-17 template for sd-whonix